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METHOD, SYSTEM AND APPARATUS FOR PROVIDING 
AUTHKNTICATION OF DATA COMMUNICATION 



TECHNICAL FIELD OF THE INVENTION 

5 The present invention relates generally to eoznmunieating data over a 
ciiiriTiiiiriiiUiliiiri link. 

BACKGROUND OF THE INVENTION 

The Simple Network Management Protocol (SNMP) is a standard applications-level 
IHtitoccil hy wbiuli iiianagcrricrii innirrriHlion fur h nrJwurk KlwrnttnL rriay lie inspected 

10 or altered by logically remote users. SNMP is widely used for managing the Internet 
and other networks using the Transmission Control Protocol (TCP/IP) or the User 
Datagram Protocol (UDP) for client-server communication. SNMP, however, is not 
limited to any particular client-server communication protocol, since SNMP governs 
the content and protocol of messages for accessing the management information and 

1 5 not the particular manner in which the messages arc transmitted, SNMP is defined 
III an Tiilernel siHricl»nls c1cu:ijmKn<, RFC 1157, by J. Case, M. Fedor, M. SchoffsiHH, 
and J. Davin entitled "A Simple Network Management Protocol (SNMP)", May 
1 990, incoiporatcd herein by reference. 

SNMP messages axe transmitted between a client (referred to as a "manager" in the 
20 RFC 1157) aiid a scsiver (i-crcrral In ms an "Hgtmr' in the RFC 1157) in h nttiwcirk. 
Each SNMP message is an ASN. 1 standard data structure that includes an SNMP 
version number of type INTEGER, a community name of type OCTET STEUNG (a 
string of 8-bit bytes), and data of type ANY. 

Tlie SNMP 5ixtcn:iriL:aliuTi ilRdncs h prolocol dala iinii (PDU) for nsr in the data 
25 portion of five different classes of SNMP messages. Ihe PDU is an ANS.l data 
stiucmie iiicliuliiig i'j RequKsi TD of INTEGER, lypw, an Error Sl«his nrTNTKGF.R 
type, an Error Index of INTEGER type, a VarBind of SEQUENCE type, and a 
VarDindList which is a SEQUENCE OF VarBind. Tlie Request ID identifies 
whether the PDU is for a Get request for obtaining values of instances of managed 
30 objects, a Get next request for obtaining the next value in a list of values, a Get 
response message for responding to a request message, a Set request for clisinging 
the values of instanoes of the managed objects, and a IVap message. The managed 
objects fur a paiLicular rielwnrk clctrnKnl we defined in a dala sirucmre called a 
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Managenieni Information Base (MIB), The MIB includes Object Ideniifiers (OID) 
of the managed objects in the network clement, and the OIDs are expressed as path 
names. 

SNMT provides a very low level of security. There is not a secure enough method to 
5 configure devices using SNMP based communication. There is a threat of 
eavesdropping or snooping. It is too easy to monitor tiic traffic between the agent 
and the client and spoof to be an agent or a clienx. There is a threat that an 
unauthorized entity may alter in-transit SNMP messages. Moreover, the "community 
sti'ing*' is accessible Ui nuynnt: who mny injt iuio Ihe nelwork, sii Lliat an 
1 0 unauOioiized entity may assume the identity of an authorized entity. 

Orin HppruHch hns b««n such that the agent has an authentication service that uses 
the community name as a kind of password. If the authentication service determines 
LhaL Ihts uoimnunity name is not appropriate for aoce.s.9 to The agenr, then the agent 
will reject the message. This is discussed in the Rh'C 1157, for example, in the 
15 chapter 4A,6.5. However, because: ursimplicily ofihe mere passwonl Hpjinmuli, it is 
fairly easy to monitor the traffic between the entities, crack the simple password and 
pretend to be the cither party. 

Another approach has been discussed in a patent publication US 6,U44,468. An 
encryption service in tlic client enciy])Ls nclwurk rriMnHgrmml mrnrrnMlJcni willi m 

20 secret key that can be recognized by the agent to which the message is directed, i'he 
cnciyption service invokes an SNMP message transmission sei^ice in llic client to 
form a secure SNMP message having an apparent Object ED (OID) that identifies a 
decryption service in the agent and having an apparent Value that includes die 
c:rii:rypi.icin msiill. Tht; SNMP message transmission service invokes a 

2^ communication protocol service in the client to send the secure SNMP message to 
tlic agent. A communication pi"otocol service in the agcriL receives the secuie SNMP 
message, and passes the received message to an SNMP message reception service in 
the agent. Tlie SNMP message lecepliou seivice chcukb wheUiei oi not a 
Community Name visible in the secure SNMP message is appropriate for access to 

30 the agent, and if so, searches a Management Information Dase (MID) in the agent 
Piir « siili-Hijeril i:iinrsxiciniliTiB lo Ihe apparent OID, and if such a siib-aijeni is fcmful, 
dispatches the apparent Value of the apparent OID to the sub-agent. I'he sub agent 
decrypts llic encryptitiri resull in (Hh apparent Value, and rejeols iht: rncssagc if the 
sub-agent is unable to recognize a secret key authorized for access to the agent. 

35 However, such an approach still requires an iricrea.se in the contplexity of the system 
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by The enciyption of the transferred message and the need for sub-agen( based 
additional verification. I'his is a disadvantage especially in SNMP because the 
system is designed Iai be a simple and (^iiitr. univer-SHl unrnfriunicauaii piotocol for 
various systems. 

5 In view of various inherent limitations of SNMP based communicauon and syslems, 
it would be desirable to avoid or mitigate these and other problems associated with 
piioi ait. Tliu.^;^ theie is a need to liavc a rriccliafiisiii Ciw aullieiitication tliat die 
message has originated j&om a particular entity. Howevtt, it is also desired for the 
mechanism to be as compatible as possible with the SNMP data structures and 
10 protocols. 

SUMMARY OF THF INVENTION 

Now a method, a system have been invented for an authentication of an entity in an 
ordinarily insecure network commLmicadon protocol such as the Simple Network 
Management Protocol (SNMP), 

In accordance with a fiist a5;£ieu-l iiP Ihr i riven linn thtm is iinividetl a sy^^tem foi 
providing authentication of data communication over a communication link between 
a client and an agent in accordance with an ordinarily insecure tietwork 
communication protocol, the protocol comprising a communal string field for an 
ai)pliancc in the data communication^ wherein, a string to be applied once, based on 
H sliHrecl seed betw^.en the client and the agent, is adapted to be incorporated into the 
communal string field to be transmitted between the client and the agent for 
autlicnticaLion, wherein the string is determined by a substantially similar «lgnrirhni 
at both the client and the agent based on the shared seed. 

25 Tn ancordanee with a second aspect of the invention there is provided an apparatus 
for providmg authentication of data communication over a communication link 
Ijetweeri h cHenC and an agcsnl in accordance with an ordinarily insecure ne(work 
communication protocol, the protocol comprising a communal string field for an 
appliance m the data communication, wheieiii, a string to he apjslied once, based on 

30 a shared seed between the client and the agent, is adapted to be incorporated into the 
communal string field to be transmitted between the client and the agent tor 
aiTthentication, wherein the once applied string is determined by a siibslMnlially 
similar algorithm at both the client ond the agent based on the shared seed. 



15 



20 
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In HiXJurdancc wilh h Ihia! Hspecl of the invention there is provided « jnrilind Pur 
authentication of data communioation over a communication hnk between a 
transmitting network entity and a receiving network entity in accordance with an 
5 ordinarily insecure network coixunutiication protocol, the protocol comprising a 
coimnunal string field for an appliance in the data cormnunication, wherein, the 
method comprises the steps of: 

establishing a seed at the citlicr network entity for sharing tlic seed to the one 
network entity, which did not establish the seed, 

1 0 shHTiTit; ihK sKKcl wilh ihn one network entity, which did not establish (he smkcI^ 

generating a string to be applied once based on tlic sliarcd seed at both the 
transmitting network entity and the receiving network entity, 

incorporating, at a tiansrniUin^ ntilwi.irk t?nlily, (he ^*lring inlo ihe corninunal siring 
field for transmitting a message in accordance with the ordinarily insecure network 
15 communication protocol, 

receiving the message at the receiving network entity, 

checking the stting of the communal string field of the message for correspondence 
with the string, which is calculatcdp at the receiving network entity, and 

authenticating the message if there is a correspondence between the string of the 
20 communal string field of the message and the generated string. 

For better imderstanding of the present invention reference is made to the following 
description, taken in conjunction willi llit: Mc:i:c)rnpHnyin{; {IrHwin^s^ ^rul \is scupe 
will be pointed out in the appending claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

25 The invention will now be described, by way ofex^aiiiple only, willi lefeience to tlic 
accompanying drawings, in which: 

Figuic 1 ilcjjicts an ernlioclirnttni of h nttlwor1<ing f.nvironmenl in which iIik 
principles of the invention are applied, 
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Figure 2 depicts an xattiple of encoded SNMP message for containing a dynamic 
variable idcntiiicr for an authentication of a network entity in accordance with an 
embodimeni of the invention, 

Figure 3 depicts in a form of a combined flow chart and signaling diagram a mediod 
5 for authentication of a network entity in an ordinarily insecure network 
communication protocol in accordance wifh an embodiment of the invention. 

Figure 4 depicts in a form of a flow chart a collective method for authenticating 
network entities in an ordinarily insecure network communication protocol in 
accordance with an embodiment of the invention. 

1 0 DETAn.EB DESCRTFTTON OF THE EMBODIMENTS 

The preferred embodiments of the invention provide a method, a system and 
nt:s(woriL endlies for authenticating the participants. The preferred embodiments 
applies communal string lield of the SNMP message to secure set based operation 
helwRRTi ihei M^rtni ^Tid ihe client. Each communal string is applied only once and 

15 new one is determined with the same secure algorithm at both ends. I'he used secure 
algoiithm is based on random seed am] i:nn pri.ivide the system wi(h retinimd 
security by complex enough creation of the new communal string from the seed* 
The applied communal string should contain enough bits, so that anyone monitoring 
the traffic cannot use random/sequence strings. Preferably, at least five characters 

20 should be applied, i he method, the system and the entities according to the 
invention ar-e very |irHL:(ii:Hl bt^(.:aiise they can provide the ordinarily insecure 
network communication protocol such as the Simple Network Management Protocol 
(SNMP) with some secure and autliejiticalioii nnd ycsl. preserve tlic siiiiiile 
philosophy of such a communication way. 

25 Fiij. 1 fiHs Tieeri described in the foregoing. In the following, corresponding 
reference signs have been applied to corresponding parts. Some embodiments of the 
invention apply the client (100). Tlie client (TOO) is defined as a. ilata processing 
device transmitting (and possibly receiving) a message over a network (104). The 
client (100) can be a workstation of a usei oi an adininisLmUir (not shown). The 

30 client (100) includes a data processor (not shown), and memoiy (not shown). The 
data processor executes various programs in the memoiy, and the execution may 
uhange inrcirmation state in the memory. Similarly, some embodiments of the 
invention apply the agent (102), i'he agent (1U2) is d fined as a data processing 
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device receiving (and possibly transmitring) the rnnssHgr.. T>ic aycriL (1 02) can be a 
network file server being configured by the system administrator. The agent (102) 
uicludes also a data processor (not shown) and a memoiy (not shown). Some more 
technical details about the client and the agent can be found from die 
5 standardization specification RFC 11 57, 

Some embodiments of the invention apply the SNMP message. I'he SNMP message 
contains tluee main paits: tiie piotocol veiston, the SNMP connniuiily identifier also 
referred to as the communal string or the communal string field, and ihe data area. 
The data area is divided into protocol data units (PDUs). The SNMP message 
10 applies ASN-1 encoding. An example of encoded SNMP message can be seen in 
Figure 2. The communal string field is stored in a character string, which in the 
example, is a 6-octet string that contains the word 'public\ Some mure. ft:t:TuiK:Hl 
details about the SNMP message can be found from the standardization 
specification RFC 1 1 57. 

15 Referring back to the example of Fig- U the client (100) uses the Simple Network 
MHTiH^ctmrni PnWor.ul (SNMP) lo inspect or alter miinageraent informHlioTi ciT Ihc 
agent (102). Ihe client (lUU) includes a client application program (not shown), 
wTiich spr:c:inc:s ihn mHUHgement information to be inspected or altered, and (he 
agent (102) includes an agent application program (not shown) which is capable of 

20 accessing or altering management infoiiriatiiin in the rncrnnry uT the agent (102). 
SNMP is an application-level protocol, which is invoked by the client application 
program or the agent application program to send or receive messages using various 
kinds of communicaticm protocols. The client 100 has a SNMP transmit service (not 
shown) and a SNMP receive service (not shown) for transmitting and receiving, 

25 ie5%x)ecLlve1y, SNMP rncssHijrs. Thes SNMP Iransmil sotvick inviikcs a 
communication protocol service (not shown) to transmit SNMP messages over th 
network (104). In a similar fashion, the communication protocol service may receive 
SNMP messages from the network (104) and direct the messages to the SNMP 
receive service. The agent (102) likewise has a SNMP transmit service (not shown), 

30 a SNMP receive service (not shown), and a communication protocol service (not 
shown). The communication protocol services, for example^, use the Transmission 
runlrul Pf Ohicol (TCP/TP) iir iTiesTIsrr DHlHijTHTn Pniliuuil (HIDP). 

Still referring to the example of Fig. 1, both entities (the client 100 and the agent 
102) have a secure algorithm program (not shown) for calculation c^r m new 
35 communal string from the seed. The secure algorithm is based on th generated or 
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obtained seed depending on the entiiy as described later in more deiail. Tlic sec^ire 
algorithm program receives the seed- Based on received seed the secure algorithm 
program calculates a new value/string, which, thus, is also basKil on the seed. This 
new value is random and is not based on cyclical sequential series. However, the 
5 round of die calculation does have an impoitance in such a way that, starting from 
the seed) the round in question provides always the same value (the same string). 
This provides an advantage for the system as the secure algorithm program outputs 
the very same value for the same round starting from the seed. For example, 1) a 
character string "qwcrty" stands for the seed. 2) The secure algorithm program 

10 receives the siring "qwerly'' and produces a new siring value "!"//a%&yO"""- this 
step is should be noted that the very same result "!"#n%&/f would be resulted 
although absolutely the same piogiani at the same entiiy would not pcrfomi the 
operation. For example, the client and the agent having similar secure algorithm 
program would result in tlic same result In tlie first round. 3) The secure algorithm 

15 produces a new string value ''ASDFGHJKL" for the second calculation round. Of 
course, this would again be the result in any secure algorithm program running in 
any operable dftvinR for this particular round. The secure algorithm program can he 
based on, for example, MUb. 

MD5 is an algorithm that is used to verify data integrity through the creation of a 

20 128-bit message digest from data input (which may be a message of any length) that 
Is claimed to be as imique to that specific data as a fingerprint is to the specific 
individual. MD5 is intended tor use with digital signature applications, which 
i-equii-e lliai larijc files nujsi br, C4.nnpressed by a secure melhod br:rnre being 
encrypted with a secret key, under a public key cryptosystem. MD5 is currently a 

25 standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 
1321 9 incoiporated herein as a reference. According to the standard, it is 
"computationally infcasiblc" that any two messages that have been input to the MDS 
algorithm could have as Ae output the same message digest, or that a false message 
could be created through apprehension of the message digest MDS is the third 

30 iriKNSHjjc clijjcsl Higiirillirri. All ibrw (ihe olhwrs arc MD7. ancl MD4) have similar 
stmomres, but MD2 was optimized for 8 bit machines, in comparison with the two 
later fomiulas, which are optimized for 32-bil machiucs. Tlic MDS algorithm is an 
extension of MD4, which the critical review found to be fast, but possibly noi 
absolutely secure. In comparison, MDS is not qtiite as fast as the MD4 algorithm, 

35 but offers much more assurance of data security. 
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Still referring to the example of Fig, 1, the agent 102 maintains also « random 
number generator tor establishing the seed. Preferably, the random number 
B«nerHlor is « pseudo-random number generator (PRNG). The PRNG is a piogiarn 
written for, and used in, probability and statistios applicationB when large quantities 
5 of random digits arc needed. Most of tliese programs produce endless strings of 
single-digit numbers, ustially in base 10, known as the decimal system- When larg 
samples of pseudo-random numbers arc taken, each of the 10 digits in the sot 
{0,1,2,3,4,5,6,7,8,9} occurs with substantially equal frequency, even though they are 
not evenly distributed in the sequence. For example, the random number generator 
10 gnnr.rHlc!s ihe s«t^d "'qwerly". Altemalively, the client 100 may mHiniHin rHiiclorri 
number generator, or both network entities may have the random number generator. 

Still referring to the example of Fig. 1, the both network entities stores an 
authenticity checking program (not shown). The authenticity checking program is 
a[iplicil in ihr. syslnrn Tor c:bKcking whether die communal string U whai il is 

IS expected to be. Some operation of the authenticity cheeking program are described 
iiexL As any ciunmuriHl Hiring has bf*en generated ftom the seed, the tv^lculnlrrd hkw 
communal string is incorporated into the SNMP message for authentication and 
transmitted to the other end. The other end checks the authenticity and validity of 
the SNMP message by checking the communal string field and comparing the 

20 received oonmiunal string ticld value/string to the value/string obtained irom the 
secure algorithm program of the other end. If the values/strings indicate (or are) the 
same, it can be deduced that the SNMP message is authentic and derives from the 
appit)])iiaic auLlicnLic party. TP Ihm-e axe any difference beiween fhr. received 
communal string value/string and the calculated communal string value of the 

25 receiving end, the authenticity checking program outputs an error. This may show 
that there is a possibility of an unauthorized party. 

Fig. 3 has been ilcscrJlieil in llic RirKguing. Tn ihK rolhiwinj;, corresponding 
reference signs have been applied to corresponding parts. 1 he example of Fig. 3 
comprises two substantial network entities or alternatively referred to as network 

30 nodes: the client 100 and the agent 102, The example of Fig. 3 is compatible lo 
operate in accordance with the ordinarily insecure network protocol communioation 
such as Ihe SNMP. The either one of the network entity establishes the seed (sir-ps 
300 and 302). Preferably, the agent 102 establishes the seed by the random number 
generator program. The ch'ent 100 contacts the agent 102 by the gcL upcravioii in 

35 accordance with the SNMP communioation protocol. At this step, the seed may or 
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may not be established beforehand, or established as the initiation for (he SNMP 
communication has been received. I'he client 100 transmits the get operation to the 
vendor-specific object with any communal string. The agenl 10?. rcccslves tlic 
communicafaon and replies to the client 100 by transmitting the seed. Preferably, the 
5 seed is contained in tiic Protocol Data Unit (PDI J) field of the SNMP message. The 
seed has enough significant bits to randomize tiie actual seed and any derivative 
based on the seed. 

Keferring to the example of Fig. 3, altematively, the seed can be established at the 
client 100 but of course the seed is communicated to the agent 102 via the SNMP 
1 0 messaging for harmonizing the network entities for the secure algorithm process* 

Siill referring to the example of Fig. 3, in the steps 304 and 306 a new corarnimHl 
stnng is calculated fiom the seed. Both the agent 102 and the client 100 calculate by 
tlie sccxrl alguriOuu program the new communal string from the seed. TIic 
calculated communal siring is stored at the both entities. Thereafter, whenever there 

15 is a need to do the SET based operation, the deteinilned communal string for 
authentication of the party is ready for appliance. In step 308 the client has received 
a need for some network operation, which can preferably presimie some level of 
security. The client 100 attaches or incorporates the generated commtmal string into 
the communal string field. I'he client 100 sends SET based operation to the agent 

20 102. Tlie tiansiinissioii coiripriscN ihw SNMP bused messngeCs) lb«l luinlains the 
determined string in the comxntmal string field, i'he agent 102 receives the SNMP 
message in the steps 308 and 310. The agent 102 checks the SNMP message and in 
particular the communal string field. If the conununal string field is what it is 
expected to bc^ tor example, the value of the transmitted communal string iicld 

'25 matches with the values of the calculated communal string field value of the agent 
102, the agent 1 02 accepts the autiicnticity. The agent 102 may respond by sending a 
positive acknowledgement ntcssH^e Ui Ihe clienl 100. Alternatively, (he Jigenl 102 
may attach the generated communal string field value of the agent 102 into the 
respond SNMP message for furtlicr authentication by the client 100. The steps 308 

30 and 310 are applied only once for the currently applied calculated conomunal string 
field value. After the value has been applied once, the process returns to tfao steps 
304 and 306 at the respecrive ends. Advantageously, the authentication string is 
therefore used only once, which makes the authentieation string more difticult by 
inuxiiloring lo crack- Thus, whenever there is a need to do more SET based 

35 operation, or a single SET based operation presumes m re than one autiientication 
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for the messages, or every message should, for some reason, h« MuiTiciiticated, the 
new communal string is detem>ined at the both ends (steps 304 & 306), and the new 
(le<enriiiicil string is ajiplied oiice for autlieiiticatJoii piocess in the actual SET 
operation in the steps 308 & 310. The loop of the steps 304 & 306 and the steps 308 
5 & 3 1 0 can be performed as many times as the both ends maintain the same roimd for 
the generation and the appliance and, consequently, the identification of the 
value/string of the communal string ticld. 

Still referring to the example of Fig. 3, if the agent 102 detects that the value of the 
communal string field, which the agent 102 has received does not match with the 

10 value it has calculated, the agent 102 can deduce that the SNMP message is not 
authentic. Consequently, the agent 102 can disregard tiie SNMP message it has 
received. The agent 102 returns the process baclc to the step 300 for esmblishing Ihe 
seed again. The agent 102 can respond an error acknowledgement (negativ 
acknowledgement) to the one that has Keni. the SNMP rncsHH^c. Tlieiefore, die one 

15 that has sent the SET operation SNMP message receives information about the 
failure. Now if fliis one is die client 100 coin|>atil>1e (and not any imposter). it can 
return to die step 302 in the process for establishing the proper authenticated 
commimication with the agent 102 again. 

Still referring to the example of Fig. 3, of course, the ohent 100 can detect that the 
20 value of the communal string field, which the client 100 has leceived does not 
match with the value it has calculated, the client 100 can deduce that the SNMP 
message is not authentic* 

Fig. 4 has been described in the foregoing. In the following, corresponding 
reference signs have been applied to corrcspondmg parts. In step 400 there is 
25 established the seed- Preferably, the seed is established by the agent 102, and th 
seed can be possibly determined beforehand and stored. Alternatively, the client 100 
can establish the seed, or both ends establish the seed and the one that initiates the 
seed sharing determines the dominant and applied seed. The seed is generated by the 
ranikiiTi nuiriher gcnKmlnr pnigr«m as descjibed nbove in the example: iirFig. 1- Tn 

30 step 402 the client 100 starts the get operation. The cHent lUU transmits the get- 
request to the agent 102 by the SNMP message (sub-step 408). The SNMT message 
contains now any communal string field value(s). As a response from the agent 102, 
the ehcnt 100 receives the SNMP message containing the seed Preferably, the seed 
IS i:oniHined in the PDU field of the SNMP message. Thus, the agent 102 rw-spiintls 

31 to the client 100 by the get-response (sub-step 410). Preferably, the bit amount of 
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iHk .seed shoiilil bw Inrgr «noiigb \h'<\\ (htt calciilHJrjl rHniliirTi |iioce8S is reliable 
enough. In step 404 there is calculated the value for the conrmunal siring field based 
authentication &om the seed value. Botli flic client 100 and the agent 102 perform 
the calculation based on the same seed by the secure algorithm program as described 
5 in context with the example of Fig. L The client 100 obtains a request for the SET 
based communication. The calculated value based on the seed is embedded into the 
conmnmal string field of the SNMP message. I he client 100 sends SET based 
nperalion by Ibc SNMP rncssHijK It) ihc: HijKnl 107.. Tlir SNMP message contains tlie 
calculated communal string field value. Ihe agent 100 receives the SNMP messag , 

10 checks the communal string field of the SMNP message. The agent 102 check 
whether the value of the commuxial string field of the SMNP message matches with 
the value, which the agent 102 has calculated from the seed by the secure algorithm 
program. The ageni sends acknowledge response if there is a match. The agent 102 
also acts according to the SET operation request received from the client 100, The 

15 sicji 40rt ensures llwl. in iIik pn.K:t:.ss Ihe iiiMheiJliCHlion siring i.s urily apiilled oiice. 
Both ends perform the step 406 only once for enaurmg ond moreasing security by 
foreiug the botli ends to geucrale u new uuimuuiiul siring from Qie seed for tlie 
authentication. The loop of the steps 404 and 406 can be performed as many times 
as the both ends maintain the same romid for the generation and for the appliance 

20 and, consequently, the identification of the value/string of the conmnmal string 
ticli 

Still referring to the example of Fig. 4, altematively the system can have additional 
authentication step. After the agent 102 has received the SNMP message containing 
the first communal string field value for authentication, and agent 102 normally 

2b checks the correspondence between the received value and the created value. Ih 
^igeni 109 win now include the value, which the agent 102 has created by the secure 
algorithm progran:i, into the communal string field of the acknowledgement SNMP 
message, and send the message Ui ihe clicrif 100. The ulieril. 100 receives the 
message, and also checks the correspondence between the value, which the client 

30 created by the secure algorithm program and which was sent to the agent 102, and 
the value of the received acknowledgement SNMP message. If there is a match, the 
client 100 gets a double authorization check. The client 100 may now also have the 
IcnuwledgK Ihnf he is cleHling with nn iiuthorized Hgenl. This iznn be Ijeiteficial for 
some operation or functions that promote or even presume authorization at the both 

35 ends. For example, many telecoinmuiiication based financial transactions presume 
authority of the parties. Again, in this alternative embodiment, if the either one end 
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17. 

detects that there is no match between the vahies of the communal string field, IhCTe 
is an indication that the authenticity of the other party may be questionable. The 
[)ioces5i reluitis back to tlie step 400. 

There can be at least two options that trigger the returning. 1) Either party detects 
5 that the values do not match and returns back to the initiating step. The other party 
may still be in the loop tor creating new communal string values based on the 
oiigiiial sectl However, the oilier iiwiiy chu tlnlci:! ihaL iherc is an erior even dtough 
it receives no specific messafie on that. As the requested SNMP message based 
operation(s) provides no result, the other party can deduce that an error has occuizcd 
10 and can rerom to the beginning of the process. 2) Either party send the negative 
acknowledgement SNMP message to the other party that the authentication will not 
match. The negative acknowledgement message may contain a request to initiate the 
seed creation process again. 

Still referring to the example of Fig. 4, alternatively, the currently applied communal 
15 string field value can be changed every time SNMP message is transmitted between 
ihr HKlwork tmiiiiiiis. For example, a first determined communal string field value is 
applied tor the SKI' based operation from the cUcnt to the agent, A second 
iiutnmunHl siring field value is detemiined at the both ends, and the second value is 
applied for the response from the agent to the client. 

20 The client (and the agent respectively) can act as a transmitting network entity or a 
receiving network entity. T hus, the client-agent pair fomos Iho transmitter-receiver 
pair (tir the receivcr-lransTm'Hw respectively) in the data communir-Hli'im in 
accordance with the ordinarily insecure network communication protocol such as 
the SNMP. 

25 Particular implementations and embodiments of the invention have been described. 
Tl is clenr ici a persiin skillwl in ihe arl lha( the invention is not reslric:lKfl Ici (lekiils of 
the embodiments presented above, but thot it can be implemented in other 
cmbodmicnts using equivalent means without deyiatuig from the characteristics of 
the invention. The scope of the invention is only restricted by the attached patent 

30 claims. 
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